Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CGNAT and pfSense

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 3 Posters 3.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • MarinSNBM
      MarinSNB
      last edited by

      Hi everyone,

      I had Metronet fiber installed yesterday (symmetric 1 Gbps CGNAT) and getting ready to install a Netgate 6100 soon. My install will be:

      ISP (ONT) -> pfSense -> UniFI switch which will have a CKG2+ controller and access points attached to it. Was wondering if you could assist me with a couple questions:

      1. I noticed that Metronet ISP has a 100.xxx.xx.x IP address. I don’t have a static ISP and don’t plan to get one unless I have too. I don’t play games or have any servers. Do I have to be concerned for a double NAT situation once I connect my Netgate 6100 to the ONT (via Ethernet port on the ONT)? What it is the easiest way to check if you are double-NAT’ed?

      2. Would be possible to bypass the ONT and connect the fiber directly to pfSense to the 1G SFP WAN port? Was looking on Amazon and couldn’t find an optical transceiver that would accommodate my fiber plug but I could be looking at the wrong products. My ONT is a Nokia G-010G-A

      Appreciate your assistance!

      Thank you!!

      Marin

      Netgate 6100 Max pfSense+
      —>Unifi Aggregation/24 Pro PoE/24 PoE Enterprise switches
      —> UCK2+
      —> 3x U6E APs

      johnpozJ S 2 Replies Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @MarinSNB
        last edited by

        @marinsnb said in CGNAT and pfSense:

        Do I have to be concerned for a double NAT situation

        Unless you wanted to serve up something, like plex or be able to get to your network while your remote being behind a double nat should not be an issue.

        Or as you mention games, were doing something that would require unsolicited inbound traffic. Double nat would mostly be problematic for something that required a specific source port.

        Nat as used today is really NAPT (network address port translation) where the source port of the traffic also changed with the IP..

        In some applications it might expected the traffic to be from IP:specificport.. If only a single nat that you control... You can control this with say "static port" in pfsense.

        https://docs.netgate.com/pfsense/en/latest/nat/outbound.html#static-port

        This might be related to some games more often than not.. When your behind a double nat, say some isp gateway device in front of pfsense, or with carrier grade nat, you might not have any control of that. And even if you tell pfsense to do a static port nat, the upstream nat might not honor your source port.. Or say vpn into your work or something - depending on what vpn solution they are using.

        But generally speaking you should not really run into any issues. If your not a gamer, or plan on allowing for unsolicited inbound traffic from the internet into something on your network.

        As to bypassing your ONT and putting the fiber directly into pfsense - there has been some success in doing that I have seen. Be it your isp would work, sorry not going to be very helpful there. Maybe someone else using the same ISP as you, if you gave the specific ISP you have might be helpful. Metronet could also just be a generic sort of term for your connection - is that your actual ISP name? https://www.metronetinc.com/

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        MarinSNBM 1 Reply Last reply Reply Quote 1
        • MarinSNBM
          MarinSNB @johnpoz
          last edited by

          @johnpoz

          That’s good to know - thank you so much as always! And yes, the link you included is from my ISP!

          Thanks again!

          Marin

          Netgate 6100 Max pfSense+
          —>Unifi Aggregation/24 Pro PoE/24 PoE Enterprise switches
          —> UCK2+
          —> 3x U6E APs

          1 Reply Last reply Reply Quote 0
          • S
            SteveITS Galactic Empire @MarinSNB
            last edited by

            @marinsnb Does the Metronet device allow for "passthrough" (your router gets a public IP) or DMZ (all inbound traffic forwards to your router IP)?

            In general though as John said there's not usually anything to worry about if there aren't inbound connections.

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote 👍 helpful posts!

            MarinSNBM 1 Reply Last reply Reply Quote 1
            • MarinSNBM
              MarinSNB @SteveITS
              last edited by

              @steveits I am not sure but my WAN gets a 100.xxx.xx.x IP according to my pfSense.

              Thank you,

              Marin

              Netgate 6100 Max pfSense+
              —>Unifi Aggregation/24 Pro PoE/24 PoE Enterprise switches
              —> UCK2+
              —> 3x U6E APs

              johnpozJ 1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @MarinSNB
                last edited by

                @marinsnb said in CGNAT and pfSense:

                but my WAN gets a 100.xxx.xx.x IP according to my pfSense.

                Yeah 100.64/10 or 100.64-127.x.x is cgnat range. If that is what your isp is using there not much you can do about that other than contacting to see if they can give you a actual public IP, possible more $$..

                Do you also get a IPv6 - that should be a global address and public, I would hope they would do a prefix delegation of /56 or /48 even which would allow for not natting when doing IPv6.

                Problem with cgnat, is even getting say a hurricane electric IPv6 tunnel isn't going to work.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 1
                • jimpJ jimp moved this topic from Problems Installing or Upgrading pfSense Software on
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.